- Add wm policy

- Make mls work in graphics mode
2009-01-21 21:22:11 +00:00 · 2009-01-21 21:22:11 +00:00 · 6cf32a1e8b
parent 1b94a1375f
commit 6cf32a1e8b
2 changed files with 26 additions and 15 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -22565,7 +22565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-21 14:02:11.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-21 16:14:47.000000000 -0500
@@ -34,6 +34,13 @@
 ## <desc>
@ -23034,7 +23034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +817,12 @@
+@@ -697,8 +817,13 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -23043,11 +23043,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 mls_xwin_read_to_clearance(xserver_t)
 +mls_process_write_to_clearance(xserver_t)
-+mls_file_write_to_clearance(xserver_t)
+mls_file_read_to_clearance(xserver_t)
 +mls_file_write_all_levels(xserver_t)
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -720,6 +844,7 @@
+@@ -720,6 +845,7 @@
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -23055,7 +23056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 modutils_domtrans_insmod(xserver_t)
-@@ -774,6 +899,10 @@
+@@ -774,6 +900,10 @@
 ')
 optional_policy(`
@ -23066,7 +23067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rhgb_getpgid(xserver_t)
 	rhgb_signal(xserver_t)
 ')
-@@ -806,7 +935,7 @@
+@@ -806,7 +936,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
@ -23075,7 +23076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -830,6 +959,10 @@
+@@ -830,6 +960,10 @@
 xserver_use_user_fonts(xserver_t)
@ -23086,7 +23087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +977,14 @@
+@@ -844,11 +978,14 @@
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -23102,7 +23103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -856,6 +992,11 @@
+@@ -856,6 +993,11 @@
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
@ -23114,7 +23115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -972,6 +1113,37 @@
+@@ -972,6 +1114,37 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -23152,7 +23153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`TODO',`
 tunable_policy(`allow_polyinstantiation',`
 # xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1158,13 @@
+@@ -986,3 +1159,13 @@
 #
 allow xdm_t user_home_type:file unlink;
 ') dnl end TODO
@ -23783,7 +23784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.3/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/init.if	2009-01-20 14:42:59.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/init.if	2009-01-21 16:19:55.000000000 -0500
@@ -280,6 +280,27 @@
 			kernel_dontaudit_use_fds($1)
 		')
@ -23812,6 +23813,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
@@ -546,7 +567,7 @@
 		# upstart uses a datagram socket instead of initctl pipe
 		allow $1 self:unix_dgram_socket create_socket_perms;
 -		allow $1 init_t:unix_dgram_socket sendto;
 +		init_chat($1)
 	')
 ')
@@ -619,18 +640,19 @@
 #
 interface(`init_spec_domtrans_script',`
@ -27350,7 +27360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-21 15:37:07.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-21 16:19:30.000000000 -0500
@@ -30,8 +30,9 @@
 	')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -445,8 +445,9 @@ exit 0
 %endif
 %changelog
-* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-4
+* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-5
 - Add wm policy
 - Make mls work in graphics mode
 * Tue Jan 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-3
 - Fixed for DeviceKit